After the raw security telemetry events have been parsed and normalized, the next step is
to enrich the data elements of the normalized event. Enrichments add external data from data
stores (such as HBase). Examples of enrichments are GEO where an external IP address is
enriched with GeoIP information (lat/long coordinates + City/State/Country) and HOST
enrichment where an IP gets enriched with Host details (for example, IP corresponds to Host X
which is part of a web server farm for an e-commerce application). This information makes the
data more useful and relevant, which assists the SOC analyst and SOC investigator in
researching alerts. Threat intelligence is another type of enrichment. For information about
threat intelligence see Using Threat
Intelligence.

HCP provides the following enrichment sources but you can add your own enrichment sources
to suit your needs:

Asset

GeoIP

User

Note

The telemetry data sources for which HCP includes parsers (for example, Bro, Snort, and
YAF) already include enrichment topologies. These topologies will become effective when you
start the data sources in HCP.

One of the features of the enrichment topology is that it groups messages together by the
HBase key. An advantage of grouping messages together is that whenever you execute a Stellar
function, you can add a caching layer, thus decreasing the need to do a call to HBase for
every event.

Prior to enabling an enrichment capability within HCP, the enrichment store (which for HCP
is primarily HBase) must be loaded with enrichment data. Enrichment data can either be bulk
loaded from the local file system, HDFS, or be streamed into the enrichment store via the
parser framework. The enrichment loader transforms the enrichment into a JSON format that is
understandable to Metron. The loading framework has additional capabilities for aging data out
of the enrichment stores based on time. Once the stores are loaded, an enrichment bolt that
can interact with the enrichment store can be incorporated into the enrichment topology.

Each enrichment bolt can enrich a specific field/tag within a Metron message. When a bolt
recognizes that it is able to enrich a field, it reaches into the enrichment store, pulls out
the enrichment, and tags the message with the enrichment. The enrichment is then stored within
the bolt's in-memory cache. HCP uses the underlying Storm routing capabilities to make sure
that similar enrichment values are sent to the appropriate bolts that already have these
values cached in-memory.

HCP provides the following enrichment sources but you can add your own enrichment sources
to suit your needs: